Security or Privacy? What is the meaning of this?

Summary: This blog discusses the difference between privacy and security. Security is what is used to protect your privacy.

So, for this week one blog I wanted to focus on the difference between security and privacy in the healthcare industry. I actually started this blog about healthcare information security when I took CIS608 in 2017. I chose the topic because in 2006 my personal health information was possibly compromised. I saw possibly because they had no idea what was actually taken, only that there had been a breach. So of course, the fix was monitor your credit information, except back then they did not offer the funds to do so. If you read my blogs dating back to CIS608 you will see that not much has changed and in fact, breaches are still quite common. So, what is the difference between privacy and security?

              The way I tend to think about it is security helps to defend your privacy. One way to look at this is when looking at a fence like the image above retrieved from http://cyntell.com/blog/privacy-versus-security/. The fence provides security from intruders entering your property. It serves as a barrier. However, outsiders can still see inside your fence. Thus, perhaps they see you when you sunbathe. This is something you probably prefer your neighbors or strangers to see. Thus you would install a privacy fence. This fence is typically slatted from both sides such that you cannot see through the gaps the fence normally provides. This is privacy, it allows you to do what you want without being seen, or what you may have in your yard. Security programs are designed to protect the informational assets an organization collects and maintains, whereas a privacy program is focused on the personal information those assets contain (Siegel, 2016). So how does this apply in a medical field?
              The Health Insurance Portability and Accountability Act of 1996 (HIPPA), Public Law 104-191, is the way privacy and security are addressed in law. In fact, from that law the U.S. Department of Health & Human Services (HHS) established several different rules. Two of those rules that are applicable to this blog were the Privacy Rule of December 2000 and the Security Rule which was published in February 2003.

You can find a lot of information on the privacy rule directly from https://www.hhs.gov/hipaa/for-professionals/privacy/laws-regulations/index.html. According to their site the information that is protected includes “demographic data that relates to an individual’s past, present, or future physical or mental health or condition”, “the provision of health care to the individual”, and even payments. So, therapist notes or your medical records are considered and can’t be released without your information with the exception of a few special cases. For example, if you are a serious threat to health or safety.

The HHS Security Rule can also be found at https://www.hhs.gov/hipaa/for-professionals/security/index.html. It “establishes national standards to protect individuals’ electronic personal health information that is created, received, used, or maintained by a covered entity”. As this comment states it only applies to electronic health data. It aims to protect the CIA triangle (confidentiality, availability, and integrity). This rule protects all personal information that could be associated with you. It requires several different types of safeguards. These are administrative, physical, and technical. Some of the administrative safeguards include assigning a security official and conducted evaluations (audits) that they are meeting the requirements. Physical safeguards primary deal with physical access to facilities and systems. Technical controls include measures to protect data like encryption.

Both of these rules have pages of information about them. I just highlighted some of them to help explain the difference between the two. So, to break this down, things I am allergic to is my private information. Security is what protects that information. Making sure that medical personnel have to use some sort of authorization to access those files. Also, when transferring that information, they must protect it in transit. This is also a reason the medical offices typically ask if you are willing to share your information. You can deny this option; however, a good reason to allow it is quick access to those files. For example, if you were to get injured in another state, your medical provider could send them your files if you had signed allowing them to do that. They have the responsibility to protect that information when they do send it.

So, you may be asking why would these rules even matter. As I mentioned in the beginning my medical records were potentially compromised. Do you know what kind of information is in these files? These contain social security numbers, home addresses, and your health histories, including family history. Thus, there is very lucrative information there. In fact according to https://www.cnbc.com/2014/05/29/hackers-are-coming-after-your-medical-records.html, medical records were selling for $20 on the black market. It also does not help that the medical providers have weak security. Just like the WannaCry virus that targeted older operating systems that Windows no longer supported like XP. Most health companies use these older systems. In fact looking at the chart below, it is projected that medical breaches will impact 1 in 13 patients over 5 years (https://www.computerworld.com/article/3090566/hackers-are-coming-for-your-healthcare-records-heres-why.htmlv). 

              In conclusion, knowing the difference between security and privacy is important with regards to medical information. Knowing what is important to protect and how to protect it is crucial to protecting everyone’s health information. Hopefully laws like HIPPA force medical providers to do a better job securing our privacy.